API modified so server side can get mki value
+ client side discards self mki if server does not support it
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 84082f3..398eb01 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -3257,7 +3257,8 @@
unsigned char *mki_value,
uint16_t mki_len );
/**
- * \brief Get the negotiated DTLS-SRTP Protection Profile.
+ * \brief Get the negotiated DTLS-SRTP informations:
+ * Protection profile and MKI value.
*
* \warning This function must be called after the handshake is
* completed. The value returned by this function must
@@ -3265,14 +3266,20 @@
*
* \param ssl The SSL context to query.
*
- * \return The DTLS SRTP protection profile in use. The return type is
- * a direct mapping of the iana defined value for protection
+ * \return The negotiated DTLS-SRTP informations:
+ * - Protection profile in use.
+ * A direct mapping of the iana defined value for protection
* profile on an uint16_t.
* http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
- * \return #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated
+ * #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated
* or peer's Hello packet was not parsed yet.
+ * - mki size and value (if size is > 0). These informations are valid only
+ * if the protection profile returned is not MBEDTLS_TLS_SRTP_UNSET.
+ * Ownership of the returned structure is kept by the ssl context,
+ * the caller must duplicate any information that must live longer than
+ * the context (typically MKI size and value if any)
*/
-mbedtls_ssl_srtp_profile mbedtls_ssl_get_dtls_srtp_protection_profile
+const mbedtls_dtls_srtp_info *mbedtls_ssl_get_dtls_srtp_negotiation_result
( const mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_DTLS_SRTP */
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index ddbe5ca..56a71c6 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1925,6 +1925,14 @@
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
+
+ /* If server does not use mki in its reply, make sure the client won't keep
+ * one as negotiated */
+ if( len == 5 )
+ {
+ ssl->dtls_srtp_info.mki_len = 0;
+ }
+
/*
* RFC5764:
* If the client detects a nonzero-length MKI in the server's response
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a9e5523..cee8ba1 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4751,10 +4751,10 @@
return( 0 );
}
-mbedtls_ssl_srtp_profile
- mbedtls_ssl_get_dtls_srtp_protection_profile( const mbedtls_ssl_context *ssl )
+const mbedtls_dtls_srtp_info *
+ mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl )
{
- return( ssl->dtls_srtp_info.chosen_dtls_srtp_profile );
+ return( &( ssl->dtls_srtp_info ) );
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index c70346a..d53a40a 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2754,8 +2754,10 @@
else if( opt.use_srtp != 0 )
{
size_t j = 0;
+ const mbedtls_dtls_srtp_info *dtls_srtp_negotiation_result =
+ mbedtls_ssl_get_dtls_srtp_negotiation_result( &ssl );
- if( ( mbedtls_ssl_get_dtls_srtp_protection_profile( &ssl )
+ if( ( dtls_srtp_negotiation_result->chosen_dtls_srtp_profile
== MBEDTLS_TLS_SRTP_UNSET ) )
{
mbedtls_printf( " Unable to negotiate "
@@ -2797,6 +2799,20 @@
mbedtls_printf( "%02X", dtls_srtp_key_material[j] );
}
mbedtls_printf( "\n" );
+
+ if ( dtls_srtp_negotiation_result->mki_len > 0 )
+ {
+ mbedtls_printf( " DTLS-SRTP mki value: " );
+ for( j = 0; j < dtls_srtp_negotiation_result->mki_len; j++ )
+ {
+ mbedtls_printf( "%02X", dtls_srtp_negotiation_result->mki_value[j] );
+ }
+ }
+ else
+ {
+ mbedtls_printf( " DTLS-SRTP no mki value negociated" );
+ }
+ mbedtls_printf( "\n" );
}
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 97929cd..126a64c 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3865,8 +3865,10 @@
else if( opt.use_srtp != 0 )
{
size_t j = 0;
+ const mbedtls_dtls_srtp_info *dtls_srtp_negotiation_result =
+ mbedtls_ssl_get_dtls_srtp_negotiation_result( &ssl );
- if( ( mbedtls_ssl_get_dtls_srtp_protection_profile( &ssl )
+ if( ( dtls_srtp_negotiation_result->chosen_dtls_srtp_profile
== MBEDTLS_TLS_SRTP_UNSET ) )
{
mbedtls_printf( " Unable to negotiate "
@@ -3908,6 +3910,21 @@
mbedtls_printf( "%02X", dtls_srtp_key_material[j] );
}
mbedtls_printf( "\n" );
+
+ if ( dtls_srtp_negotiation_result->mki_len > 0 )
+ {
+ mbedtls_printf( " DTLS-SRTP mki value: " );
+ for( j = 0; j < dtls_srtp_negotiation_result->mki_len; j++ )
+ {
+ mbedtls_printf( "%02X", dtls_srtp_negotiation_result->mki_value[j] );
+ }
+ }
+ else
+ {
+ mbedtls_printf( " DTLS-SRTP no mki value negociated" );
+ }
+ mbedtls_printf( "\n" );
+
}
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index f84c485..210108d 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -8862,6 +8862,7 @@
-c "dumping 'received mki' (8 bytes)" \
-c "DTLS-SRTP key material is"\
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
+ -g "find_in_both '^ *DTLS-SRTP mki value: [0-9A-F]*$'"\
-C "error"
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
@@ -8874,12 +8875,14 @@
-s "selected srtp profile" \
-s "server hello, adding use_srtp extension" \
-s "DTLS-SRTP key material is"\
+ -s "DTLS-SRTP no mki value negociated"\
-S "dumping 'using mki' (8 bytes)" \
-c "client hello, adding use_srtp extension" \
-c "found use_srtp extension" \
-c "found srtp profile" \
-c "selected srtp profile" \
-c "DTLS-SRTP key material is"\
+ -c "DTLS-SRTP no mki value negociated"\
-g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
-c "dumping 'sending mki' (8 bytes)" \
-C "dumping 'received mki' (8 bytes)" \
@@ -9066,6 +9069,7 @@
-c "found srtp profile" \
-c "selected srtp profile" \
-c "DTLS-SRTP key material is"\
+ -c "DTLS-SRTP no mki value negociated"\
-c "dumping 'sending mki' (8 bytes)" \
-C "dumping 'received mki' (8 bytes)" \
-C "error"
@@ -9261,6 +9265,7 @@
-c "found srtp profile" \
-c "selected srtp profile" \
-c "DTLS-SRTP key material is"\
+ -c "DTLS-SRTP mki value:"\
-c "dumping 'sending mki' (8 bytes)" \
-c "dumping 'received mki' (8 bytes)" \
-C "error"